mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
add 6.1.12
This commit is contained in:
parent
bce95a5b08
commit
69b85812eb
@ -118,6 +118,7 @@ GitHub 地址:https://github.com/firmianay/CTF-All-In-One
|
|||||||
* [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md)
|
* [6.1.9 pwn RHme3 Exploitation](doc/6.1.9_rhme3_exploitation.md)
|
||||||
* [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md)
|
* [6.1.10 pwn 0CTF2017 BabyHeap2017](doc/6.1.10_0ctf2017_babyheap2017.md)
|
||||||
* [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md)
|
* [6.1.11 pwn 9447CTF2015 Search-Engine](doc/6.1.11_9447ctf2015_search_engine.md)
|
||||||
|
* [6.1.12 pwn N1CTF2018 vote](doc/6.1.12_n1ctf2018_vote.md)
|
||||||
* re
|
* re
|
||||||
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
* [6.2.1 re XHPCTF2017 dont_panic](doc/6.2.1_re_xhpctf2017_dont_panic.md)
|
||||||
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
* [6.2.2 re ECTF2016 tayy](doc/6.2.2_re_ectf2016_tayy.md)
|
||||||
|
42
doc/6.1.12_n1ctf2018_vote.md
Normal file
42
doc/6.1.12_n1ctf2018_vote.md
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
# 6.1.12 pwn N1CTF2018 vote
|
||||||
|
|
||||||
|
- [题目复现](#题目复现)
|
||||||
|
- [题目解析](#题目解析)
|
||||||
|
- [参考资料](#参考资料)
|
||||||
|
|
||||||
|
|
||||||
|
[下载文件](../src/writeup/6.1.12_n1ctf2018_vote)
|
||||||
|
|
||||||
|
## 题目复现
|
||||||
|
这个题目给了二进制文件和 libc:
|
||||||
|
```
|
||||||
|
$ file vote
|
||||||
|
vote: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=53266adcfdcb7b21a01e9f2a1cb0396b818bfba3, stripped
|
||||||
|
$ checksec -f vote
|
||||||
|
RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Fortified Fortifiable FILE
|
||||||
|
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH Yes 0 4 vote
|
||||||
|
```
|
||||||
|
看起来就是个堆利用的问题:
|
||||||
|
```
|
||||||
|
$ ./vote
|
||||||
|
0: Create
|
||||||
|
1: Show
|
||||||
|
2: Vote
|
||||||
|
3: Result
|
||||||
|
4: Cancel
|
||||||
|
5: Exit
|
||||||
|
Action:
|
||||||
|
```
|
||||||
|
|
||||||
|
然后就可以把它运行起来了:
|
||||||
|
```
|
||||||
|
$ socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./vote" &
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## 题目解析
|
||||||
|
#### Exploit
|
||||||
|
|
||||||
|
|
||||||
|
## 参考资料
|
||||||
|
https://ctftime.org/task/5490
|
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
- [题目解析](#题目解析)
|
- [题目解析](#题目解析)
|
||||||
- [Exploit](#exploit)
|
- [Exploit](#exploit)
|
||||||
|
- [参考资料](#参考资料)
|
||||||
|
|
||||||
|
|
||||||
[下载文件](../src/writeup/6.1.5_pwn_grehackctf2017_beerfighter)
|
[下载文件](../src/writeup/6.1.5_pwn_grehackctf2017_beerfighter)
|
||||||
@ -182,3 +183,7 @@ payload_2 += str(frame_2)
|
|||||||
io.sendline(payload_2)
|
io.sendline(payload_2)
|
||||||
io.interactive()
|
io.interactive()
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## 参考资料
|
||||||
|
https://ctftime.org/task/4939
|
||||||
|
@ -970,4 +970,4 @@ p.interactive()
|
|||||||
|
|
||||||
|
|
||||||
## 参考资料
|
## 参考资料
|
||||||
- [Exploitation](https://ctftime.org/task/4528)
|
https://ctftime.org/task/4528
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
- [参考资料](#参考资料)
|
- [参考资料](#参考资料)
|
||||||
|
|
||||||
|
|
||||||
章节 4.5 中讲解了 Z3 约束求解器的基本使用方法,通过这一题,我们可以更进一步地熟悉它。
|
章节 5.8.1 中讲解了 Z3 约束求解器的基本使用方法,通过这一题,我们可以更进一步地熟悉它。
|
||||||
|
|
||||||
[下载文件](../src/writeup/6.2.2_re_ectf2016_tayy)
|
[下载文件](../src/writeup/6.2.2_re_ectf2016_tayy)
|
||||||
|
|
||||||
|
@ -12,6 +12,7 @@
|
|||||||
- [6.1.9 pwn RHme3 Exploitation](6.1.9_rhme3_exploitation.md)
|
- [6.1.9 pwn RHme3 Exploitation](6.1.9_rhme3_exploitation.md)
|
||||||
- [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md)
|
- [6.1.10 pwn 0CTF2017 BabyHeap2017](6.1.10_0ctf2017_babyheap2017.md)
|
||||||
- [6.1.11 pwn 9447CTF2015 Search-Engine](6.1.11_9447ctf2015_search_engine.md)
|
- [6.1.11 pwn 9447CTF2015 Search-Engine](6.1.11_9447ctf2015_search_engine.md)
|
||||||
|
- [6.1.12 pwn N1CTF2018 vote](6.1.12_n1ctf2018_vote.md)
|
||||||
- re
|
- re
|
||||||
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
- [6.2.1 re XHPCTF2017 dont_panic](6.2.1_re_xhpctf2017_dont_panic.md)
|
||||||
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
- [6.2.2 re ECTF2016 tayy](6.2.2_re_ectf2016_tayy.md)
|
||||||
|
1
src/writeup/6.1.12_n1ctf2018_vote/run.sh
Normal file
1
src/writeup/6.1.12_n1ctf2018_vote/run.sh
Normal file
@ -0,0 +1 @@
|
|||||||
|
socat tcp4-listen:10001,reuseaddr,fork exec:"env LD_PRELOAD=./libc-2.23.so ./vote" &
|
BIN
src/writeup/6.1.12_n1ctf2018_vote/vote
Normal file
BIN
src/writeup/6.1.12_n1ctf2018_vote/vote
Normal file
Binary file not shown.
173
src/writeup/6.1.12_n1ctf2018_vote/vote.c
Normal file
173
src/writeup/6.1.12_n1ctf2018_vote/vote.c
Normal file
@ -0,0 +1,173 @@
|
|||||||
|
#include <stdio.h>
|
||||||
|
#include <time.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <pthread.h>
|
||||||
|
|
||||||
|
#define MAX 0x10
|
||||||
|
|
||||||
|
char *users[MAX];
|
||||||
|
long counts[MAX];
|
||||||
|
int vote_num;
|
||||||
|
|
||||||
|
void read_until_nl_or_max(char *dst, size_t len) {
|
||||||
|
size_t i = 0;
|
||||||
|
for (;;) {
|
||||||
|
if (read(0, &dst[i], 1) == -1)
|
||||||
|
exit(1);
|
||||||
|
if (dst[i] == '\n') {
|
||||||
|
dst[i] = '\0';
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
i++;
|
||||||
|
if (i >= len) {
|
||||||
|
dst[i - 1] = '\0';
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void puts_heapless(char *str) {
|
||||||
|
write(1, str, strlen(str));
|
||||||
|
write(1, "\n", 1);
|
||||||
|
fflush(stdout);
|
||||||
|
}
|
||||||
|
|
||||||
|
void print(char *str) {
|
||||||
|
write(1, str, strlen(str));
|
||||||
|
fflush(stdout);
|
||||||
|
}
|
||||||
|
|
||||||
|
int read_int() {
|
||||||
|
char tmp[8];
|
||||||
|
memset(tmp, 0, 8);
|
||||||
|
read_until_nl_or_max(tmp, 8);
|
||||||
|
return atoi(tmp);
|
||||||
|
}
|
||||||
|
|
||||||
|
void *vote_thread(void *arg) {
|
||||||
|
sleep(3);
|
||||||
|
++(counts[vote_num]);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
void create() {
|
||||||
|
int size;
|
||||||
|
char *user;
|
||||||
|
int i;
|
||||||
|
for (i = 0; i < MAX; i++) {
|
||||||
|
if (users[i] == NULL) {
|
||||||
|
print("Please enter the name's size: ");
|
||||||
|
size = read_int();
|
||||||
|
if (size > 0 && size <= 0x1000) {
|
||||||
|
user = (char *)malloc(size + 0x10);
|
||||||
|
*(long *)(user) = 0;
|
||||||
|
*(long *)(&user[8]) = time(NULL);
|
||||||
|
print("Please enter the name: ");
|
||||||
|
read_until_nl_or_max(&user[16], size);
|
||||||
|
users[i] = user;
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void show() {
|
||||||
|
int index;
|
||||||
|
char tmp[266];
|
||||||
|
memset(tmp, 0, 266);
|
||||||
|
print("Please enter the index: ");
|
||||||
|
index = read_int();
|
||||||
|
if (index >= 0 && index < MAX && users[index] != NULL) {
|
||||||
|
snprintf(tmp, 256, "name: %s\ncount: %lu\ntime: %lu", &users[index][16], *(long *)(users[index]), *(long *)(&users[index][8]));
|
||||||
|
puts_heapless(tmp);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void vote() {
|
||||||
|
int index;
|
||||||
|
pthread_t id;
|
||||||
|
print("Please enter the index: ");
|
||||||
|
index = read_int();
|
||||||
|
if (index >= 0 && index < MAX && users[index] != NULL) {
|
||||||
|
++(*(long *)(users[index]));
|
||||||
|
*(long *)(&users[index][8]) = time(NULL);
|
||||||
|
vote_num = index;
|
||||||
|
pthread_create(&id, NULL, &vote_thread, NULL);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void result() {
|
||||||
|
int i;
|
||||||
|
char tmp[266];
|
||||||
|
memset(tmp, 0, 266);
|
||||||
|
for (i = 0; i < MAX; i++) {
|
||||||
|
if (counts[i] != 0) {
|
||||||
|
snprintf(tmp, 256, "%d\t->\t%lu", i, counts[i]);
|
||||||
|
puts_heapless(tmp);
|
||||||
|
fflush(stdout);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void cancel() {
|
||||||
|
int index;
|
||||||
|
print("Please enter the index: ");
|
||||||
|
index = read_int();
|
||||||
|
if (index >= 0 && index < MAX && users[index] != NULL) {
|
||||||
|
--(counts[index]);
|
||||||
|
--(*(long *)(users[index]));
|
||||||
|
if (counts[index] == *(long *)(users[index])) {
|
||||||
|
if (counts[index] < 0) {
|
||||||
|
free(users[index]);
|
||||||
|
}
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (counts[index] < 0) {
|
||||||
|
printf("%s", &users[vote_num][16]);
|
||||||
|
fflush(stdout);
|
||||||
|
puts_heapless(" has freed");
|
||||||
|
free(users[index]);
|
||||||
|
users[index] = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int main(void) {
|
||||||
|
setvbuf(stdin, NULL, _IONBF, 0);
|
||||||
|
int c;
|
||||||
|
alarm(30);
|
||||||
|
for (;;) {
|
||||||
|
puts_heapless("0: Create");
|
||||||
|
puts_heapless("1: Show");
|
||||||
|
puts_heapless("2: Vote");
|
||||||
|
puts_heapless("3: Result");
|
||||||
|
puts_heapless("4: Cancel");
|
||||||
|
puts_heapless("5: Exit");
|
||||||
|
print("Action: ");
|
||||||
|
if (scanf("%d", &c) == EOF)
|
||||||
|
exit(1);
|
||||||
|
if (c == 0) {
|
||||||
|
create();
|
||||||
|
}
|
||||||
|
if (c == 1) {
|
||||||
|
show();
|
||||||
|
}
|
||||||
|
if (c == 2) {
|
||||||
|
vote();
|
||||||
|
}
|
||||||
|
if (c == 3) {
|
||||||
|
result();
|
||||||
|
}
|
||||||
|
if (c == 4) {
|
||||||
|
cancel();
|
||||||
|
}
|
||||||
|
if (c == 5) {
|
||||||
|
puts_heapless("Bye");
|
||||||
|
exit(0);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user